A security vulnerability that could endanger up to 99% of all Android devices has been unearthed by a security firm. What with more than 900 million Android devices said to have been activated, the vulnerability ranks as one of the biggest security scares on the platform to date.
The flaw was discovered by Bluebox Security, which claims to have found Android’s “master key.” Gaining possession of this key would allow hackers to corrupt just about any Android application and turn it into a malicious “zombie” app capable of taking over any device that installs it. The flaw allows hackers to modify an app’s APK code without corrupting the cryptographic signature that Google uses to authenticate it. According to Bluebox’s CTO Jeff Forristal, this kind of malicious application would be able to grant itself ‘permission’ to access all of the data and control functions on a device, including calls, messages and emails, whilst evading detection from the device owner, Google or the app developer – the app could be loaded with malware, but to all intents and purposes it would appear to be legitimate.
Even worse is the scale of the problem. Forristal claims that the vulnerability has existed since Android version 1.6, AKA ‘Donut’. Effectively this means that 99% of all Android devices could be at risk.
Bluebox hasn’t revealed any details about how the vulnerability can be exploited, but nevertheless it does appear to be a legitimate concern. Forristal is well-respected on the security scene and so he’s unlikely to risk his reputation for a PR stunt. Moreover, Bluebox disclosed the vulnerability to Google last February, and its since been listed as an official Android security bug 8219321. The company says that it plans to reveal proofs-of-concept at the upcoming Blackhat USA 2013 security conference.
The good news at least is that while 99% of all devices could potentially be at risk, it’s highly unlikely that anywhere near that number might be affected. Google is already said to have patched its Play Store, and it’s now apparently able to recognize app updates that try to take advantage of the flaw. The real risk lies with those users who like to install apps from third-party app stores other than Google Play, or else through fake links to an app that are sent via email or placed on a website. Also at risk are older devices, particularly those running the Gingerbread or Froyo variants of Android, as these no longer receive updates from device manufacturers.
If anything, this news serves as yet another reminder that users are better off sticking to official app stores when it comes to downloading their applications. Meanwhile, Bluebox further advises that device owners should be extra cautious when it comes to identifying app publishers.